Bugfixes

* hardening

* Amended for Yum mirrors

* meta-data

* Codespace (ansiblebook#2)

* No sudo in ubi8

* checkout@v3

* fixes

.ansible-lint

@@ -1,6 +1,7 @@
 ---
+# https://ansible-lint.readthedocs.io/en/latest/default_rules/
+exclude_paths:
+  - ./.github
+  - ./.vscode
 skip_list:
   - experimental  # all rules tagged as experimental
-  - fqcn-builtins  # Use FQCN for builtin actions.
-  - unnamed-task  # All tasks should be named.
-...

.devcontainer/Dockerfile

@@ -0,0 +1,20 @@
+# See here for image contents: https://github.com/microsoft/vscode-dev-containers/tree/v0.134.0/containers/python-3/.devcontainer/base.Dockerfile
+ARG VARIANT="3.8"
+FROM mcr.microsoft.com/vscode/devcontainers/python:0-${VARIANT}
+
+# [Optional] Allow the vscode user to pip install globally w/o sudo
+ENV PIP_TARGET=/usr/local/pip-global
+ENV PYTHONPATH=${PIP_TARGET}:${PYTHONPATH}
+ENV PATH=${PIP_TARGET}/bin:${PATH}
+RUN mkdir -p ${PIP_TARGET} \
+    && chown vscode:root ${PIP_TARGET} \
+    && echo "if [ \"\$(stat -c '%U' ${PIP_TARGET})\" != \"vscode\" ]; then chown -R vscode:root ${PIP_TARGET}; fi" \
+        | tee -a /root/.bashrc /home/vscode/.bashrc /root/.zshrc >> /home/vscode/.zshrc
+
+COPY requirements.txt /workspaces/session/
+RUN pip --disable-pip-version-check --no-cache-dir install -r /workspaces/session/requirements.txt
+
+# [Optional] Uncomment this section to install additional OS packages.
+# RUN apt-get update \
+#     && export DEBIAN_FRONTEND=noninteractive \
+#     && apt-get -y install --no-install-recommends <your-package-list-here>

.devcontainer/devcontainer.json

@@ -0,0 +1,46 @@
+{
+    "name": "Python 3",
+    "build": {
+        "dockerfile": "Dockerfile",
+        "context": "..",
+        "args": {"VARIANT": "3.8"}
+    },
+    "customizations": {
+        "vscode": {
+          "settings": {
+            "python.pythonPath": "/usr/local/bin/python",
+            "python.linting.enabled": true,
+            "python.linting.pylintEnabled": true,
+            "python.formatting.autopep8Path": "/usr/local/py-utils/bin/autopep8",
+            "python.formatting.blackPath": "/usr/local/py-utils/bin/black",
+            "python.formatting.yapfPath": "/usr/local/py-utils/bin/yapf",
+            "python.linting.banditPath": "/usr/local/py-utils/bin/bandit",
+            "python.linting.flake8Path": "/usr/local/py-utils/bin/flake8",
+            "python.linting.mypyPath": "/usr/local/py-utils/bin/mypy",
+            "python.linting.pycodestylePath": "/usr/local/py-utils/bin/pycodestyle",
+            "python.linting.pydocstylePath": "/usr/local/py-utils/bin/pydocstyle",
+            "python.linting.pylintPath": "/usr/local/py-utils/bin/pylint"
+          },
+          "extensions": [
+              "redhat.ansible",
+              "ms-python.python",
+              "ms-python.pylint",
+              "ms-vscode.test-adapter-converter",
+              "hbenl.vscode-test-explorer",
+              "littlefoxteam.vscode-python-test-adapter",
+              "timonwong.shellcheck"
+        ]
+      }
+  },
+  "features": {
+    "ghcr.io/devcontainers/features/docker-outside-of-docker:1": {},
+    "ghcr.io/guiyomh/features/vim:0": {},
+    "ghcr.io/jungaretti/features/make:1": {},
+    "ghcr.io/devcontainers-contrib/features/nmap-apt-get:1": {},
+    "ghcr.io/lukewiwa/features/shellcheck:0": {},
+    "ghcr.io/devcontainers-contrib/features/curl-apt-get:1": {},
+    "ghcr.io/eitsupi/devcontainer-features/jq-likes:1": {}
+  },
+  "forwardPorts": [2211],
+  "remoteUser": "root"
+}

.github/workflows/molecule.yml

@@ -12,7 +12,7 @@ jobs:
     runs-on: ubuntu-20.04
     steps:
       - name: checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
         with:
           path: "${{ github.repository }}"
       - name: molecule
@@ -27,7 +27,7 @@ jobs:
       fail-fast: false
     steps:
       - name: checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
         with:
           path: "${{ github.repository }}"
       - name: molecule

.pre-commit-config.yaml

@@ -0,0 +1,29 @@
+---
+# https://pre-commit.com/hooks.html
+default_language_version:
+  python: python3
+exclude: .venv
+repos:
+
+  - repo: https://github.com/adrienverge/yamllint
+    rev: v1.27.1
+    hooks:
+      - id: yamllint
+        args: [-c=.yamllint]
+
+  - repo: https://github.com/robertdebock/pre-commit
+    rev: v1.5.2
+    hooks:
+      - id: ansible_role_find_unused_variable
+      - id: ansible_role_find_empty_files
+      - id: ansible_role_find_empty_directories
+
+  - repo: https://github.com/jumanjihouse/pre-commit-hooks
+    rev: 3.0.0  # or specific git tag
+    hooks:
+      - id: shellcheck
+
+  - repo: https://github.com/PyCQA/flake8
+    rev: 6.0.0
+    hooks:
+      - id: flake8

.vscode/extensions.json

@@ -0,0 +1,13 @@
+{
+    "recommendations": [
+      "redhat.ansible",
+      "ms-python.python",
+      "ms-python.pylint",
+      "ms-vscode.test-adapter-converter",
+      "hbenl.vscode-test-explorer",
+      "littlefoxteam.vscode-python-test-adapter",
+      "timonwong.shellcheck",
+      "davidanson.vscode-markdownlint",
+      "eamodio.gitlens"
+    ]
+}

.vscode/settings.json

@@ -0,0 +1,21 @@
+{
+    "editor.rulers": [
+        120
+    ],
+    "files.associations": {
+        "**/molecule/**/molecule.yml": "yaml",
+        "**/templates/*.j2": "ansible-jinja",
+        "*.yml": "ansible"
+    },
+    "files.insertFinalNewline": true,
+    "files.trimTrailingWhitespace": true,
+    "python.testing.unittestArgs": [
+        "-v",
+        "-s",
+        "./test",
+        "-p",
+        "test*.py"
+    ],
+    "python.testing.pytestEnabled": false,
+    "python.testing.unittestEnabled": true
+}

.yamllint

@@ -1,8 +1,26 @@
 ---
+# https://yamllint.readthedocs.io/en/stable/rules.html
 extends: default
 
 rules:
+  braces:
+    max-spaces-inside: 1
+    level: error
+  brackets:
+    max-spaces-inside: 1
+    level: error
+  indentation:
+    indent-sequences: consistent
+    spaces: 2
+    level: error
+  line-length:
+    max: 120
+    level: warning
+  key-duplicates: enable
+  new-line-at-end-of-file: enable
+  new-lines:
+    type: unix
+  trailing-spaces: enable
   truthy:
     allowed-values: ['true', 'false']
     check-keys: false
-...

handlers/main.yml

@@ -1,34 +1,30 @@
 ---
 
 - name: Restart sshd
-  debug:
+  ansible.builtin.debug:
     msg: "checking /etc/ssh/sshd_config first"
   changed_when: true
   notify:
     - Check sshd configuration
     - Restart sshd - after config check
 
 - name: Check sshd configuration
-  become: true
-  command: '/usr/sbin/sshd -t'
+  ansible.builtin.command: '/usr/sbin/sshd -t'
   register: sshd_config
   changed_when: "sshd_config.rc != 0"
 
 - name: Restart sshd - after config check
-  become: true
-  service:
+  ansible.builtin.service:
     name: sshd
     state: restarted
 
 - name: Start RNG Entropy Gatherer
-  become: true
-  systemd:
+  ansible.builtin.systemd:
     name: rngd
     state: restarted
     enabled: true
 
 - name: Update crypto policies
-  become: true
-  command: update-crypto-policies
+  ansible.builtin.command: update-crypto-policies
   notify: Restart sshd
 ...

molecule/almalinux8/molecule.yml

@@ -30,7 +30,7 @@ provisioner:
       executable: /bin/bash
   playbooks:
     converge: ../resources/playbooks/converge.yml
+    verify: ../resources/playbooks/verify.yml
 verifier:
-  name: testinfra
-  directory: ../resources/tests
+  name: ansible
 ...

molecule/default/molecule.yml

@@ -10,14 +10,15 @@ lint: |
   ansible-lint
   flake8
 platforms:
-  - name: ssh-centos8
-    image: quay.io/centos/centos:stream8
-    command: /sbin/init
+  - name: ssh-ubi8
+    image: registry.access.redhat.com/ubi8/ubi-init
+    pre_build_image: true
+    command: /usr/sbin/init
     cgroupns_mode: host
     capabilities:
       - SYS_ADMIN
     published_ports:
-      - 127.0.0.1:2258:22
+      - 127.0.0.1:2211:22
     tmpfs:
       - /run
       - /tmp
@@ -32,7 +33,7 @@ provisioner:
       executable: /bin/bash
   playbooks:
     converge: ../resources/playbooks/converge.yml
+    verify: ../resources/playbooks/verify.yml
 verifier:
-  name: testinfra
-  directory: ../resources/tests
+  name: ansible
 ...

molecule/full/molecule.yml

@@ -68,7 +68,7 @@ provisioner:
       executable: /bin/bash
   playbooks:
     converge: ../resources/playbooks/converge.yml
+    verify: ../resources/playbooks/verify.yml
 verifier:
-  name: testinfra
-  directory: ../resources/tests
+  name: ansible
 ...

molecule/jenkins/converge.yml

@@ -4,6 +4,6 @@
   hosts: all
   tasks:
     - name: "Run ansible role"
-      include_role:
+      ansible.builtin.include_role:
         name: "workspace"
 ...

molecule/jenkins/molecule.yml

@@ -26,7 +26,9 @@ provisioner:
     defaults:
       stdout_callback: yaml
       executable: /bin/bash
+  playbooks:
+    converge: ../resources/playbooks/converge.yml
+    verify: ../resources/playbooks/verify.yml
 verifier:
-  name: testinfra
-  directory: ../resources/tests
+  name: ansible
 ...

molecule/localhost/molecule.yml

@@ -23,6 +23,7 @@ provisioner:
       executable: /bin/bash
   playbooks:
     converge: ../resources/playbooks/converge.yml
+    verify: ../resources/playbooks/verify.yml
 verifier:
   name: testinfra
   directory: ../resources/tests

molecule/resources/playbooks/converge.yml

@@ -2,9 +2,12 @@
 # Standards: 0.2
 - name: Converge
   hosts: all
-  become: true
+
+  vars:
+    role_name: "{{ lookup('env', 'MOLECULE_PROJECT_DIRECTORY') | basename }}"
+
   tasks:
-    - name: "Run ansible_role_ssh"
-      include_role:
-        name: "ansible_role_ssh"
+    - name: "Include {{ role_name }}"
+      ansible.builtin.include_role:
+        name: "{{ role_name }}"
 ...

molecule/resources/playbooks/verify.yml

@@ -0,0 +1,14 @@
+---
+# Standards: 0.2
+- name: Verify
+  hosts: all
+
+  vars:
+    role_name: "{{ lookup('env', 'MOLECULE_PROJECT_DIRECTORY') | basename }}"
+
+  tasks:
+    - name: "Include {{ role_name }}"
+      ansible.builtin.include_role:
+        name: "{{ role_name }}"
+        tasks_from: verify
+...